SSL Certificates, Trusts, and SharePoint 2010

March 8, 2012

We were having a 3rd party migration tool fail at bringing over some web parts from our 2007 farm to our 2010 farm. Looking through the Windows Event Logs on the 2010 server, I found a number of these errors:

Source: SharePoint Foundation

Event ID: 8311

An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=contoso.com, OU=IT, O=”Contoso”, L=Redmond, S=WA, C=US\nIssuer Name: CN=InternalCertAuthority, DC=Contoso, DC=com\nThumbprint: <biglongGUID>\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..

The InternalCertAuthority certificate our company’s own self-signed certificate. I checked, and it is in the Trusted Root Certification Authorities store on all servers in our farm. You can verify that your cert is in the proper store by one of two methods.

In IE, click on Tools->Internet Options. Click on the Content tab and click the Certificates button. Click on the Trusted Root Certification Authorities tab and find your cert.

Alternately, you can use MMC. From the start button, enter mmc in the “Search programs and files” text box. In the MMC window, select File->Add/Remove Snap-in. Highlight Certificates in the left pane, click the Add > button in the middle and click OK. Select My user account and click Finish. Expand the navigation pane “Certificates – current user”->”Trusted Root Certification Authorities”->”Certificates” and find your cert.

If it is not there, you can import it. Get a copy of the certificate from your internal certificate server. It should be in the *.cer format.

Save that file somewhere and open up Central Administration. Go to Security->General Security->Manage Trust. You should see “local” in there, that is SharePoint’s own self-signed certificate. SharePoint uses this to encrypt traffic between servers in the farm. But now, you need to add your company’s self-signed root certificate here. Click the “New” button in the upper left. Give a friendly name to the certificate – “Contoso self-signed” or whatever. Click the Browse button and go to the location where you saved your copy of the certificate. Then click OK.

At this point, everything should be great. You should see your certificate listed on the “Trust Relationships” page.

But you may have gotten an error. Maybe after you clicked OK, you got a message that says “The Root Certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.” How can that be? The cert doesn’t require a password! What is going on?

I’m not sure what is going on, but I know how to get around this error. You can create Trust Relationships through PowerShell, and it is pretty simple. Microsoft’s documentation is here: http://technet.microsoft.com/en-us/library/ff607586.aspx . For this, you need to save the certificate from your company’s certificate authority somewhere on a server in your farm. On that server, open SharePoint 2010 Management Shell. Type “New–SPTrustedRootAuthority -Name “FriendlyNameForTrust” -Certificate C:\<location of certificate>”

Now, if you go to the Trust Relationships page in CA, you should see the new trust. This fixed our issue with our migration tool and cleared up the errors in the event log.

Share this:

Like this:

I had the same problem with trying to add a certificate to setup Content Deployment path over https (ssl). Even though the cert was exported without the private key it was still erroring that it required a password. The powershell script did the trick. Thanks!